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Abstract. We present the first study of robustness of systems that are 
both timed as well as reactive (I/O). We study the behavior of such timed 
I/O systems in the presence of uncertain inputs and formalize their ro¬ 
bustness using the analytic notion of Lipschitz continuity. Thus, a timed 
I/O system is A-(Lipschitz) robust if the perturbation in its output is at 
most A times the perturbation in its input. We quantify input and out¬ 
put perturbation using similarity functions over timed words such as the 
timed version of the Manhattan distance and the Skorokhod distance. We 
consider two models of timed I/O systems — timed transducers and asyn¬ 
chronous sequential circuits. While A'-robustness is undecidable even for 
discrete transducers, we identify a class of timed transducers which ad¬ 
mits a polynomial space decision procedure for A-robustness. For asyn¬ 
chronous sequential circuits, we reduce A-robustness w.r.t. timed Man¬ 
hattan distances to A-robusness of discrete letter-to-letter transducers 
and show PSPACE-compeleteness of the problem. 


1 Introduction 

Real-time systems operating in physical environments are increasingly common¬ 
place today. An inherent problem faced by such computational systems is input 
uncertainty caused by sensor inaccuracies, imprecise environment assumptions 
etc. This means that the input data may be noisy and/or may have timing er¬ 
rors. Hence, it is not enough for such a timed I/O system to be functionally 
correct. It is also desirable that the system be continuous or robust , i.e., the 
system behavior degrade smoothly in the presence of input disturbances m- 
We illustrate this property with two examples of timed I/O systems. 

Example 1. Consider two timed I/O systems which process a sequence of ticks 
and calibrate the intervals between the ticks (see Fig. [I]). In particular, the goal 
is to track if an interval is greater than some given A. The first timed I/O 
system T is an offline processor; upon arrival of each request, T waits till the 
next request, and outputs T if the interval is less than or equal to A and T 
otherwise. The second timed I/O system T' is an online processor; T' starts 
generating T immediately upon arrival of each request, and switches its output 
to _L after A time, until the arrival of the next request. 

Consider two periodic tick sequences: i\ and *2 as shown in Fig. |T] The 
duration between ticks in i \, ii is A, A + e, respectively. Thus *2 can be viewed 


as a timing distortion of i\. While the output o\ of T on i\ is a constant sequence 
of T, the output 02 of T on i 2 consists of _L entirely. Thus, a small timing 
perturbation in the input of T can cause a large perturbation in its output. On 
the other hand, a small timing perturbation in the input of T' only causes a 
proportionally small perturbation in its output. Indeed, while the output o\ of 
T' on ii is also a constant sequence of T, the output o' 2 of T' on z 2 is a sequence 
of T, with periodic _L intervals of e-duration. 




Fig. 1: Timing distortion 


Example 2. Consider two asynchronous sequential circuits C and C shown in 
Fig. [2] For each circuit, the input is i 1 the output is i V y and the value of 
variable y at time t equals the value of variable z at time t — 1. In circuit C, 
variable z equals »Vj/ and in circuit C ', variable z equals i. Initially y is set to 
0 . 

Consider inputs i\ and i 2 such that i\ is constantly 0, and i 2 is 1 in the 
interval [0, e) and 0 otherwise (see Fig. [2]). Thus, i 2 can be viewed as representing 
a transient fault in i\. The outputs of both C and C for i\ are constantly 0. 
For i 2 , C produces a periodic sequence that equals 1 exactly in the intervals 
[0, e), [1,1 + e), [2, 2 + e)..., whereas C' produces the output that equals 1 only 
in the intervals [0, e) and [1,1 + e]. Thus, the effect of a small input perturbation 
propagates forever in the output of C. On the other hand, the effect of a small 
input perturbation is limited to a bounded time in the output of C'. 

We present the first study of robustness of systems that are both timed as 
well as reactive (I/O). We formalize robustness of timed I/O systems as Lips- 
clritz continuity mm- a function is Lipschitz-continuous if its output changes 
proportionally to every change in the input. Given a constant K and similarity 
functions ds, dr for computing the input, output perturbation, respectively, a 
timed I/O system T is defined to be A'-Lipschitz robust (or simply, A'-robust) 






































w.r.t. ds, dr if for all timed words w, v in the domain of T with finite ds{w, v), 

< Kdz(w,v). 

In this work, we focus on A'-robustness of two models of timed I/O systems - 
timed transducers (Ex. []} and asynchronous sequential circuits (ASCs) (Ex. [2]). 
We define a timed transducer as a timed automaton over an alphabet partitioned 
into an input alphabet ds and an output alphabet dr- A timed transducer defines 
a transduction over timed words, or a timed relation. An ASC is composed of a 
combinational circuit (CC), delay elements and feedback loops (see, for instance, 
Fig. [2J. An ASC also defines a timed relation. However, timed transducers and 
ASCs are are expressively incomparable. A simple ASC that delays its inputs 
by 1 time unit is not expressible by timed transducers — intuitively, the timed 
transducer at time 1 would need to remember arbitrarily many timed events 
from the interval [0,1). Conversely, a simple timed transducer that outputs 1 if 
the duration between preceding input events is greater than 1, and 0 otherwise 
cannot be expressed by any ASC. 

Since A'-robustness is undecidable for discrete transducers [T2J, it is also 
undecidable in general for our timed transducers. We identify a class of timed 
transducers, called timed-synchronized transducers, which admit decidable K- 
robustness. This class includes timed Mealy machines, i.e., timed transducers 
that accept timed words with alternating input and output letters. The key 
idea behind decidability is a reduction of A'-robustness of timed-synchronized 
transducers to emptiness of weighted timed automata, given similarity functions 
computable by weighted timed automata. In particular, our results for timed- 
synchronized transducers include the following: 





















1. A-robustness is PSPACE-complete for timed Manhattan distances. 

2. A'-robustness is PSPACE-complete for accumulated delay distances, under 
practically-viable environment assumptions (e.g., minimum symbol persis¬ 
tence). 

3. A'-robustness is PSPACE-complete if the input perturbation is computed as 
a Skorokhod distance and the output perturbation is computed as a timed 
Manhattan distance. 

We reduce A-robustness of ASCs w.r.t. timed Manhattan distances to A- 
robustness of discrete letter-to-letter transducers, and show that A-robustness 
of ASCs is PSPACE-complete. The reduction consists of two steps. First, we 
show that on inputs that are step functions, ASCs behave like discrete letter-to- 
letter transducers. Second, we show that if an ASC is not A-robust w.r.t. timed 
Manhattan distances, there exists a witness consisting of a pair of inputs that 
are step functions. 

The paper is organized as follows. We first recall necessary formalisms (Sec. 
and present our models of timed I/O systems (Sec. [3]). We formalize our 
notion of robustness for such systems (Sec. U) and define the similarity functions 
of interest (Sec. [5]). We then present our results on robustness analysis of timed 
transducers (Sec. [6]) and ASCs (Sec. [T]) w.r.t. various similarity functions. 


Related work. Robustness of systems has been studied in different contexts 
such as robust control m , timed automata [5], discrete transducers nzna and 
sequential circuits [S] . However, none of these results are directly applicable to 
robustness of timed I/O systems. There are two main reasons. First, we are inter¬ 
ested in robustness w.r.t. input perturbation. Second, timed I/O systems exhibit 
both discrete and continuous behavior. Robust control typically involves rea¬ 
soning about continuous state-spaces and focuses on designing controllers that 
function properly in the presence of perturbation in various internal parameters 
of a system’s model. The study of robustness of timed automata focuses on the 
design of models whose language is robust to infinitesimal timing perturbation 
(e.g. clock drifts). This work does not explicitly consider input perturbation, nor 
does it focus on quantifying the effect of input perturbation on the output. Ro¬ 
bustness analysis of finite-state transducers is limited to purely discrete systems 
and data. In [S], the authors study the robustness of synchronous sequential cir¬ 
cuits modeled as discrete Mealy machines. Their notion of robustness bounds the 
persistence of the effect of a sporadic disturbance and is also limited to discrete 
data. 

In other related work H5EB1, the authors develop different notions of ro¬ 
bustness for reactive systems, with w-regular specifications, interacting with un¬ 
certain environments. There has also been foundational work on continuity and 
robustness analysis of software programs manipulating numbers mm- 








2 Preliminaries 


2.1 Timed automata 

We briefly present basic notions regarding timed automata. We refer the reader 
to [2j for a comprehensive survey on timed automata. 

Timed words. Let R + , Q + denote the set of all nonnegative real numbers, ra¬ 
tional numbers, respectively. A (finite or infinite) timed word over an alphabet 
A is a word over (A,R + ): (ao, to)(&i, ti) ■ ■ ■ such that to,ti, ■.. is a weakly in¬ 
creasing sequence. A pair (a,t) is referred to as an event. We denote by TC(£) 
the set of all timed words over £. For a timed word w = (ao, to)(ai, ti)... we 
define untimed(w) = aoai... as the projection of w on the £ component. 
Disjoint union of timed words. Let Wi,W 2 be timed words over the 
alphabet £. We define the disjoint union of Wi and w%, denoted w 1 ® 
W 2 , as the union of events of wi and W 2 , annotated with the index of 
the word (■Wi or w 2 ) it belongs to. E.g. (a, 0.4)( 6 ,2.1) © ( 6 ,0.3)( 6 , 0.4) = 
(( 6 , 2), 0.3)((a, 1), 0.4)(( 6 , 2), 0.4)(( 6 ,1), 2.1). The word w\ © w 2 is a timed word 
over the alphabet £ x { 1 , 2 }, 

Clocks. Let X be a set of clocks. A clock constraint is a conjunction of terms of 
the form x © c, where x £ X, c £ Q + and © £ {<,<,=,>,>}. Let B{X) denote 
the set of clock constraints. A clock valuation v is a mapping v : X H > R + . 
Timed automata. A timed automaton A is a tuple (£,L,Iq,X,5,F) where £ 
is the alphabet of A, L is a set of locations, Iq £ L is the initial location, A is a 
set of clocks, 5 C L x £ x B(X) x 2 A x L is the switch relation and F C L is a 
set of accepting locations. 

Semantics of timed automata. The semantics of a timed automaton A is 
defined using an infinite-state transition system A over the alphabet (27U{e}) x 
R+. A state q of A is a pair (l,v) consisting of a location l £ L and a clock 
valuation u. A state q = (l, v) satisfies a clock constraint g , denoted q (= <?, if the 
formula obtained from g by substituting clocks from X by their valuations in v is 
true. There are two kinds of transitions in A: (i ) elapse of time: (Z, v) —A (Z, v') 
iff for every x £ X, v'{x) = v(x) + t and (ii) location switch: {l,v) —> a {V,v') 
iff there is a switch of A, (l, a, g, 7 , l'), such that (l, u) |= g , and for each x £ X , 
v'(x) = 0 if x € 7 and v'(x) = v(x) otherwise. An elapse of time is usually 
followed by a location switch. Thus we define the composition —> T o —A and 
denote it as —> T a . The initial state of A is the state (Iq, v) where for each x £ X, 
is(x) = 0. The accepting states of A are all states of the form (l, v ), where l £ F. 
A run of A over a timed word w = {ao,to){ai,ti) ■ ■ ■ («feAfe) is the sequence: 
qo -ta°o Qi 92 • • -qk -1 9 fe+ 1 , where q 0 is the initial state of A. 

The run is accepting if qk+i is an accepting state. The set of accepting runs of 
A is denoted [A]. We say a timed word w is accepted by A if there is a run in 
[A] whose projection to £ x R + is w. 

The emptiness problem for timed automata is as follows: given a timed au¬ 
tomaton A, decide if [A] is nonempty. The emptiness problem is also referred 
to as the reachability problem as it is equivalent to reachability of an accepting 
state in A. 


2.2 Weighted timed automata 


A weighted timed automaton (WTA) is a timed automaton augmented by a 
function C : L U 8 H > Q that associates weights with the locations and switches of 
the timed automaton. The value of a run (lo,vo) —> T ° Go> ^ 1 ) —t a ° (h, v 2 ) . ■ . —>° k 
{h,V 2 k+ 2 ) is given by 

k k 

J20(h)r i + J2 C (ei) 

2=0 2=0 

where is the switch taken in the transition —> ai (h+i,^ 2 i+ 2 )- The 

value of a timed word w assigned by a WTA A, denoted £^(u>), is defined as 
the infimum over values of all accepting runs of d on w. 

The quantitative emptiness problem for WTA is as follows: given a WTA A 
and A G Q, decide if A has an accepting run with value smaller than A. 

Theorem 3. £/]/ The quantitative emptiness problem for WTA is PSpace- 
complete. 

A WTA A is functional if for every timed word w, all accepting runs of A 
on w have the same value. 


2.3 Discrete transducers 

Discrete (finite-state) transducers. A finite-state transducer (fst) T is a 
tuple (A, r, Q, Q 0 , E, F) where £ is the input alphabet, r is the output alphabet, 
Q is a finite nonempty set of states, Qo C Q is a set of initial states, E C 
Q x £ x r* x Q is a set of transitions, and F is a set of accepting states. 
Semantics of discrete transducers. A run 7 of T on an input word s = 
s[l]s[2 ]... s[n] is defined in terms of the sequence: (go, w[), (q\,w 2 ), ■ ■ ■ (qi,w' 2 ) 
where qo G Qo and for each i e {1,2,...}, (qi-i, s[i], w[, qf) G E. A run (q 0 , w[), 
... (q n -i,w' n ), ( q n ,4>) is accepting if q n G F. The output of T along a run is 
the word w[ ■ w' 2 ■ ... if the run is accepting, and is undefined otherwise. The 
transduction computed by an fst T is the relation |T] C £ u x (resp., 
[Tj C £* x r*), where (s, s') G JT] iff there is an accepting run of T on s with 
s' as the output along that run. 

Types of discrete transducers. An fst T is called functional if the relation 
[Tj is a function. In this case, we use |[T](s) to denote the unique output word 
generated along any accepting run of T on input word s. An FST is a letter-to- 
letter transducer if in every transition ( q,a,w',a ') we have |u/| = 1 . 


3 Models of Timed I/O Systems 

In this section, we present two models of timed I/O systems whose robustness 
will be studied in the following sections. 


3.1 Timed transducers 


In this section, we define timed transducers, which extend classical discrete trans¬ 
ducers. 

Definition 4 (Timed transducer.). A timed transducer T is a timed au¬ 
tomaton over an alphabet partitioned into an input alphabet E and an output 
alphabet T. 

Semantics of timed transducers. Given a timed transducer T, we define a 
relation |T] C TC(E) x T’£(T) by [T]| = {(w,v) : T accepts w © v}. We say 
that v £ TC{r) is an output of T on to £ TC(E) if {w,v) £ [T]. 

The following proposition we study the discrete parts of relations defined 
by timed transducers. We show that by imposing an additional assumption on 
transducers, namely that they do not have cycles labeled by r, we obtained 
the model that defines relations on timed words such that their untimed parts 
can be defined by discrete transducers. More formally, for a timed relation R C 
TC(£) x TC(r), we define untimed)!?) C E* x T* as follows: for all s £ E*,t £ 
r*, we have (s,t) £ untimed(-R) iff there exist w £ TC{£), v £ TC(r) such that 
(w, v) £ R, s = untimed(w) and t = untimed(w). 

Proposition 5. (i): For every timed transducer T that has no cycles labeled by 
r, there exists a (nondeterministic) discrete transducer T d of exponential size in 
|T| such that untimed(lfTj) and coincide, (ii): For every discrete transducer 
T d , there exists a timed transducer T that has no cycles labeled by T such that 
untimed(lfTj) and jT d ] coincide. 

Functionality. A transducer is timed-functional iff [[T] is a function, i.e., for 
all w £ TC(E) and Vi,V 2 £ TX(-T), if both (w,V\) £ [T]| and (w,v 2 ) £ [T], 
then v\ =V 2 - For a timed-functional transducer T, we use [[T](w) to denote the 
unique output of 1 on w. 

Proposition 6. Deciding timed functionality of a timed transducer is PSpace- 
complete. 

Observe that a timed transducer does not have to be timed-functional, even 
if it is deterministic when viewed as a timed automaton. Indeed, a trivial timed 
automaton that accepts every word over the alphabet E UP is a deterministic 
and it is a timed transducer. However, it is not functional. 

In [7J we present a sufficient condition for timed-functionality which can 
be checked in polynomial time. We further identify a class of transducers 
for which this condition is also necessary. A switch in a timed automaton 
is rigid iff it is guarded by a constraint containing equality. A location l 
in a timed automaton is unambiguous if all constraints of any two outgoing 
switches from l are strongly inconsistent, i.e., for all Xi,... ,x n ,t the formula 
gi(xi,..., x n ) A 52(^1 + t ,..., x n + t) is does not hold. A transducer is safe if 
every location with outgoing E switches is accepting. 


Proposition 7. (1) A deterministic timed transducer in which all switches la¬ 
beled by r are (a) rigid, and (b) all locations are with outgoing switches labeled 
with r are unambiguous, is functional. (2) Every function defined by a determin¬ 
istic safe timed transducer is also defined by a deterministic safe timed transducer 
satisfying (a) and (b) from (1). 


3.2 Asynchronous Sequential Circuits 



Fig. 3: A generic ASC. 


The second model of timed I/O systems that we consider is an asynchronous 
sequential circuit (ASC). A generic ASC is shown in Fig. [3] and some example 
ASC’s are shown in Fig. [2] 

An ASC is an I/O system composed of a combinational circuit (CC) and 
memory devices , or delay elements. A CC is simply a Boolean logic circuit that 
computes Boolean functions of its inputs. A CC is memoryless: the values of 
the circuit’s output variables at time instant t are functions of the values of the 
circuit’s input variables at the same time instant t. A delay element is always 
labeled with some d > 0. The output of a d-delay element at time t equals its 
input at time t — d. We consider delays that are natural numbers. 

ASC’s may contain cycles, or feedback loops. Each such cycle is required to 
contain at least one delay element. Due to the presence of delay elements and 
feedback loops, an ASC has memory: the outputs of an ASC at time instant t 
are in general functions of its inputs at time instant t, as well as at time instants 
t' < t. The inputs of the delay elements of an ASC are called excitation variables. 
The outputs of the delay elements of an ASC are called secondary variables. The 
relationships between input, output, excitation and secondary variables of an 
ASC are graphically represented in Fig. [3] and formally defined below. 





















Definition 8. Let C be an ASC with input variables X = {i 1 ,... ,i m }, output 
variables O = {o 1 ,...,o n }, excitation variables Z = {z 1 ,..., z k }, secondary 
variables y = {y 1 ,..., y k } and delay elements A = {d 1 ,..., d k }. Let i(t) and 
X(t) denote the values of input i and all inputs X at timet, respectively. One can 
similarly define off), y(t) etc. We have the following: 


Vj G [1 ,k\ : y J (f) 

Vj G [1 ,k\ : z 3 (t) 
Vj G [1, n] : o J (t) 


fO ift=[0,d 3 ) 

fz 3 (t — d 3 ) ift>d 3 

f 3 ( xl (t), • • .,x m (t),y 1 (t),.. -,y k (t)) 
9 3 , x m (t), y 1 {t),..., y k (t)). 


Here, f 1 ,...,f k and g 1 ,...,g n are Boolean functions. The input alphabet of 
ASCC, denoted E, is given by {0, l} m . The output alphabet of C, denoted T, is 
given by {0,1}". The ASCC defines a transduction JCJ C TC{£) x TC(T) such 
that JC] is a total function. Thus, the domain of C is given by dom(C) = TC(E). 
We use [£](«;) to denote the unique output of C on w. 

4 Problem Statement 

Similarity functions. In our work, we use similarity functions to measure the 
similarity between timed words. Let S' be a set of timed words and let K.°° 
denote the set R U {oo}. A similarity function d : S x S —> R°° is a function 
with the properties: \tx,y G S : (1) d(x,y ) > 0 and (2) d(x,y) = d(y,x). A 
similarity function d is also a distance (function or metric) if it satisfies the 
additional properties: \/x, y,z G S : (3) d(x, y) = 0 iff x = y and (4) d(x, z) < 
d{x,y) + d(y,z). We emphasize that in our work we do not need to restrict 
similarity functions to be distances. 

In this paper, we are interested in studying the K-Lipschitz robustness of 
timed-functional transducers and ASCs. 

Definition 9 (A'-Lipschitz Robustness of Timed I/O Systems). Let T 

be a timed-functional transducer or an ASC with |T] C TC(E) x TC(T). Given 
a constant K G Q with K > 0 and similarity functions ds '■ TC(E) x XC{E) —» 
R°° and dr '■ TC(T) x TC{T) —> R°°, the timed I/O system T is called 

K-Lipschitz robust w.r.t. dr, dr if: 

Vw,r G dom(T) : dr(w,v) < oo => dr{\X\{w),\X\{y)) < Kdr{w,v). 

5 Similarity Functions between Timed Words 

Timed words as Cdlg functions. Consider a timed word w : 
( ao,to)(ai,ti )... (ak,tk) over ( E,I ), where I = [fo,ffc] is an interval in R + . We 
define a Cdlg function wc : I E as follows: for each j G {0,1,..., k — 1}, 



wc(t) = a,j if t £ [tj,tj. |_i), and wc(tk ) = Ofe- We define a timed word 
thned(wc) = (ao, <5o)(ai, <5i)... ( a n ,S n ) corresponding to the Cdlg function wc 
such that: for each j £ {0,1,..., n}, aj = wc(Sj) and Sj £ {6 q, ... ,6 n } iff 
wc changes value at Sj. The timed word timed (wc) can be interpreted as a 
stuttering-free version of the timed word w. 

Example. Let w be the timed word (a, 0)(6,1.3)(a, 2)(a, 2.9)(c, 3.7)(a, 5). Then 
wc is given by the following Cdlg function over the interval [0, 5]. 


c 

b 

a 


1.3 2 3.7 5 

The timed word timed(wc) = (a, 0) (b, 1.3)(a, 2)(c, 3.7)(a, 5). 

In what follows, let w, v be timed words over (17,/) with / C R+. And let 
wc, vc be Cdlg functions over / as defined above. We present several similarity 
functions between timed words below. As will be clear, the similarity between 
two timed words is computed as the similarity between their corresponding Cdlg 
functions. We first present a similarity function between discrete words. 
Generalized Manhattan distance. The generalized Manhattan distance over dis¬ 
crete words s, t is defined as: c7m(s, t) = diff (s[i], f[i]). where diff is 

the mismatch penalty for substituting letters. The mismatch penalty is required 
to be a distance metric on the alphabet (extended with a special end-of-string 
letter # for finite words). When diff (a, h) is defined to be 1 for all a, b with 
a ^ b, and 0 otherwise, Sm is called the Manhattan distance. 


Definition 10 (Timed Manhattan distance). 
Given diff on E: 


dTM(w,v) = J diff (wc(x),vc(x))dx. 


Thus, the timed Manhattan distance extends the generalized Manhattan dis¬ 
tance by accumulating the pointwise distance, as defined by diff, between the 
Cdlg functions corresponding to timed words. 


Definition 11 (Accumulated delay distance). Let timedlwc) 
(ao,6 0 )(ai,$i) • • ■ (a n ,S n ) and timed(v c ) = (A), t 0 )(/3i, n) • • • (Pn,T m ). 


d A D(w,v) 


j |<Sj — Tj | if untimed(timed(wc )) = untimed(timed{vc )) 
oo otherwise. 



The accumulated delay distance examines the timed words timed(wc) and 
timed(uc)- If the projections of these timed words on their £ components are 
equal, then the distance cIad(w,v) equals the sum of delays between the corre¬ 
sponding events; otherwise the distance is infinite. 

Definition 12 (Skorokhod distance w.r.t. timed Manhattan distance). 

Let A be the set of all continuous bijections from the domain I of wc and vc 
onto itself. 


ds(w c ,vc) = inf (||ld - A||i + d T M{w c ,v c o A)), 

Aeyl 

where Id is the identity function over I, ||.||i is the L\-norm over R + and o is 
the usual function composition operator. 

The Skorokhod distance is a popular distance metric for continuous func¬ 
tions. Hence, it is also a natural choice for our Cdlg functions. The Skorokhod 
distance permits wiggling of the function values as well as the timeline in or¬ 
der to match up the functions. The timeline wiggle is executed using continuous 
bijective functions, denoted A, over the timeline. The first component of the Sko¬ 
rokhod distance measures the magnitude of the timing distortion resulting from 
a timeline wiggle A. The second component of the Skorokhod distance measures 
the magnitude of the function value mismatch under A. The Skorokhod distance 
is the least value obtained over all such timeline wiggles. The magnitudes of the 
timing distortion and function value mismatch can be computed and combined 
in different ways. In our work, the timing distortion is computed as the L\ norm, 
the function value mismatch is computed as the timed Manhattan distance and 
the two are combined using addition. 

We now present some helpful connections between the above distances. 

Proposition 13. [Relations between distances] (i) The accumulated delay dis¬ 
tance coincides with the Skorokhod distance w.r.t. the timed Manhattan dis¬ 
tance defined by diff = such that: \/a,b £ £, diff = (a, b) = 0 if a = b and 
diff = (a, b) = oo otherwise, (ii) For every timed Manhattan distance df M de¬ 
fined diff- 1 such that Va,b £ £, diff- 1 (a, b) < 1, we have the Skorokhod 
distance w.r.t. df M coincides with df M . 

6 Robustness Analysis of Timed Transducers 

Timed-automatic similarity function. A timed similarity function d is com¬ 
puted by a WTA A iff for all w,v € TC(£), d(w,v) = Ca{w 0 v). A timed 
similarity function d computed by a WTA is called a timed-automatic similarity 
function. 

^/-interleaved timed words. Timed words w, v are defined to be N-interleaved 
iff in any time interval [t \, tf\ , the numbers of events from w and from v differ 
by at most N. Intuitively, the TV-interleaved property expresses that two words 
are synchronized m- 


Definition 14. A timed-functional transducer T is called timed-synchronized 
iff there exists N such that for every w € TC(£), the words w and |‘T](w) are 
N-interleaved. 


Theorem 15. Let ds, dr be timed-automatic similarity functions such that 
ds,dr are computed by (nondeterministic) WTA. 

(i) There exists a sound procedure for checking K-robustness of a timed- 
synchronized transducer w.r.t. ds,dr that works in polynomial space. 

(ii) If dp is computed by a functional WTA, checking K-robustness of a timed- 
synchronized transducer w.r.t. dz,dr is PSpace -complete. 

In what follows, we define several timed similarity functions that can be 
computed by functional and nondeterministic WTA. 

Timed similarity functions computed by functional WTA. We show 
that the timed Manhattan and accumulated delay distances can be computed 
by functional WTA. 

The timed Manhattan distance g?tm over timed words is computed by a 
functional WTA. 

To compute the timed Manhattan distance, the WTA simply tracks the dif f 
between timed events using its weight function. The semantics of WTA then 
imply that the value assigned by the automaton to a pair of timed words is 
precisely the timed Manhattan distance between them. 

Let A, B be any nonnegative real numbers. The accumulated delay distance 
dAD over timed words w, v such that: 

1. the duration of any segment in wc, vc is greater than A and 

2. the delay |<5j — Tj| between corresponding events in wc, vc is less than B, 
is computed by a functional WTA. 

The WTA tracks with its weight function the number of unmatched events. 
Again, the semantics of WTA imply that the value assigned by the automaton 
to a pair of timed words is precisely the accumulated delay distance. To make 
sure that every event is matched to the right event, i.e. the untimed parts are 
equal, the automaton implements a buffer to store the unmatched events. The 
assumptions on the minimal duration of events and the maximal delay between 
the corresponding events imply that the buffer’s size is bounded. 

Timed similarity functions computed by nondeterministic WTA. A 

(restricted) Skorokhod distance can be computed by a nondeterministic WTA. 
We first prove the following lemma characterizing an essential subset of the set 
A of all timing distortions. 

[Skorokhod distance is realized by a piecewise linear function] Let w, v be 
timed words. Let be the number of segments in v. For every e > 0, there exists 
a piecewise linear function A consisting of rj segments such that 11Id — A||i + 
d T M(wc,v c o A) - ds(wc,vc)\ < e. 

Lemma [HI implies that ||ld||i — A coincides with the accumulated delay dis¬ 
tance between vc and vc 0 A. This allows us to compute the Skorokhod distance 


by a WTA for A for which there is a WTA that can compute the accumulated 
delay between vc and vc 0 A. 

Let A, B be any nonnegative real numbers. The Skorokhod distance ds over 
timed words w, v restricted to time distortions A such that: 

1. the duration of any segment in vc, vc ° A is greater than A and 

2. the delay — t»| between corresponding events in vc, vc 0 A is less than B, 
is computed by a nondeterministic WTA. 

Remark 16. Physical systems typically have a bounded rate at which they can 
generate/process data. Hence, bounding the minimum possible duration of timed 
symbols is not a severe restriction from the modeling perspective. Moreover, if an 
input is delayed arbitrarily, it makes little sense to constraint the system behav¬ 
ior. Hence, for robustness analysis, it is also reasonable to bound the maximum 
delay between corresponding events. 

Summary of decidability results. We summarize the decidability results for 
timed-synclrronized transducers that follow from Theorem [15] and Lemmas ED ED 
and ED 

1. A'-robustness is PSPACE-complete for timed Manhattan distances. 

2. A'-robustness is PSPACE-complete for accumulated delay distances, under 
environment assumptions from Lemma [G] 

3. A'-robustness is PSPACE-complete if the input perturbation is computed as 
a Skorokhod distance and the output perturbation is computed as a timed 
Manhattan distance. 

7 Robustness Analysis of Asynchronous Sequential 
Circuits 

In this section we show that robustness of ASCs w.r.t. the timed Manhattan 
distances is PSPACE-complete. The decision procedure is by reduction to discrete 
letter-to-letter transducers. Our argument consists of two steps and relies on the 
use of steps functions — Cdlg functions that change values only at integer points. 
First, we show that on inputs that are step functions, ASCs behave like discrete 
letter-to-letter transducers. Second, we show that if an ASC is not A'-robust 
w.r.t. the timed Manhattan distances, there exists a counterexample consisting 
of a pair of inputs that are step functions. 

ASCs transforming step functions. There is a natural correspondence be¬ 
tween step functions / : [0,T] {0,l} fe and words over the alphabet {0, l} fc . 

The function / defines the word Wf = /(0)/(l)... f(T — 1) and, conversely, a 
word w G ({0,1 } k )* defines a step function f w such that Wf w = w. We aim 
to show that the behavior of ASCs on step function / is captured by discrete 
transducers on words w /. 

First, observe that an ASC with integer delays transforms step functions into 
step functions. Indeed, the output at time t depends on the input and secondary 
variables at time t , which are equal to the values of excitation variables at times 


{t — d 1 ,... , t — d k }. The excitation variables at times {f — d 1 ,... , t — d k } de¬ 
pend on inputs and secondary variables at times {t — d 1 , ..., t — d k }. As delays 
are integers, by unraveling the definition of the output variables (resp., excita¬ 
tion and secondary variables) at time t , we obtain that they depend solely on 
(a subset of) inputs at times frac(t), frac(t) + where frac(t) is the 

fractional part of t. Therefore, if an input is a step function, then excitation, 
secondary and output variables are all step functions. Moreover, the value of the 
step function output in the interval [;), j + 1) with j £ N can be computed using 
the input value in the interval [j, j + 1) and the values of excitation variables 
in the intervals [j — d 1 , j + 1 — d 1 ),... [j — d k , j + 1 — d k ). Therefore, we can 
define a discrete letter-to-letter transducer that simulates the given ASC. Such 
a transducer remembers in its states values of the excitation variables in the last 
max(d 1 ,..., d k ) intervals. 

(1) If the input to an ASC is a step function, the output is a step function. 
(2) Given an ASC C, one can compute in polynomial space a discrete letter-to- 
letter transducer '2c such that for every step function /, the output of C on / is 
/„, where v is the output of ? on wf. 


Remark 17. The transducer 1c in Lemma □ can be constructed in polynomial 
space, meaning that its sets of states and accepting states are succinctly repre¬ 
sentable and we can decide in polynomial time whether a given tuple (q, a , b , q') 
belongs to the transition relation of 1c- 

Counterexamples to A"-robustness of ASCs. Consider an ASC with integer 
delays that is not AT-robust w.r.t. ds,dr- Then, there are two input functions 
h,h that witness non-AT-robustness, i.e., dr([C](/i), IC](/ 2 )) > K ■ d s {f 1 ,f 2 )- 
We show that for ASCs, if there exists a pair of functions that witnesses non-AT- 
robustness, there exists a pair of step functions that witnesses non-A-robustness 
as well. Recall that the output of the ASC at time t depends only on inputs 
at times frac(t), frac(t ) + 1,... ,t. Hence, we argue that if the pair /i, f 2 is a 
witness of non-AT-robustness, then for some x £ [0,1), fi,f 2 restricted to the 
domain A x = {y £ dom(/i) (~l dom(/ 2 ) | frac(y) = a:} is also a witness of non- 
Af-robustness. Since the set A x is discrete, we can define step functions based 
on /i, f 2 restricted to A x . 

Let C be an ASC with integer delay elements. If C is not A'-robust w.r.t. 
timed Manhattan distances ds,dr, then there exists a pair of step functions 
fi,f 2 such that dr(lC}(f i), [CJ(/ 2 )) > AT • d s (hJ 2 ). 

AT-robustness of discrete transducers. We next present a decidability re¬ 
sult that follows from ms. Deciding A'-robustness of letter-to-letter transducers 
w.r.t. generalized Manhattan distances reduces to quantitative non-emptiness 
of weighted automata with SUM-value function m • The latter problem can be 
solved in nondeterministic logarithmic space, assuming that the weights are rep¬ 
resented by numbers of logarithmic length. Hence, we obtain the following result 
for short generalized Manhattan distances, i.e., distances whose dif f values are 
represented by numbers of logarithmic length. 


Lemma 18. Deciding K-robustness of letter-to-letter transducers w.r.t. short 
generalized Manhattan distances is in NLOGSPACE. 

We can now characterize the complexity of checking ^-robustness of ASCs. 

Theorem 19. Deciding K-robustness of ASCs with respect to timed Manhattan 
distances is PSpace -complete. 



Fig. 4: The diagram of an ASC from the reduction of the reachability in succinctly 
represented graphs to If-robustness of ASCs. 


Proof. Observe that the timed Manhattan distance between step functions f, g 
equals the generalized Manhattan distance between the words Wf,w g corre¬ 
sponding to step functions f,g. This, together with Lemmas [Cl and 171 allows 
us to reduce checking A'-robustness of ASCs w.r.t. timed Manhattan distances 
to checking A'-robustness of the corresponding letter-to-letter transducers w.r.t. 
generalized Manhattan distances. It then follows from Lemma [lH] that checking 
A'-robustness of ASCs is in PSpace. Note that generalized Manhattan distances 
are short in this case as their descriptions are logarithmic in the exponential size 
of the letter-to-letter transducer. 

The PSPACE-hardness of checking A'-robustness of ASCs is obtained by a 
reduction from the reachability problem for succinctly represented graphs, which 
is PSPACE-complete M- Succinctly represented graphs are given indirectly by 
a propositional formula E(w,v), where w,v are vectors of n variables. The 
vertexes of the graph are binary sequences of length n, and two sequences are 
connected by an edge iff the formula E(w, v ) on these sequences holds. Consider 
the graph G represented by the formula E(v,w) and its vertex t. We claim 
that the ASC given in Fig. 2] is A'-robust iff the vertex t is not reachable from 
the zero vector (0,..., 0) in G. Due to Lemma [7] it suffices to focus on inputs 
that are step functions /, or discrete words Wf. The input is interpreted as a 
sequence of vertexes of G. The ASC in Fig. [J] consists of (a) a circuit E(v,w) 
which checks whether there is an edge between v and the input w , (b) a unit 
that tests whether u equals the target vertex t and, (c) an oscillator m which 
outputs 0 when the input is 0, and once the input is 1, outputs 1 until the end 
of the input. Initially, v is the zero vector. If there is an edge between v and 























w, u is set to w, and hence, v equals w in the next step and w is checked for 
equality with t. If w = t , the oscillator is activated. Otherwise, if there is no edge 
between v and w , u is set to the zero vector, which corresponds to transitioning 
back to the initial vertex; v equals the zero vector in the next step and the zero 
vector is checked for equality with t. 

If t is not reachable from the zero vector, the output of the ASC is always 
0, and hence the ASC is A-robust for every K. Conversely, we claim that if t is 
reachable from the zero vector, then the ASC is not Jv-robust for any K. Indeed, 
consider a shortest path from the zero vector to the target vertex 0, v\, ..., t 
and consider the following two inputs: i\ = 0, tq,..., t, 0 K , the path leading 
to activation of the oscillator followed by K inputs that are zero vectors, and, 
i 2 = 0, vi,.. ., t', 0 K , which is obtained from i\ by changing one bit in t. Observe 
that the oscillator in ASC is not activated on the input * 2 , hence the output is 
0. Therefore, while the timed Manhattan distance between the inputs is 1, the 
timed Manhattan distance between the outputs is K + 1, for any chosen K. 

Remark 20. Recall that the domain of an ASC C with input alphabet S = 
{0,l} m is given by dom(C) = TC(E). For any timed Manhattan distance 
drM< 1 over dom(C) such that Vo, b £ A, diff- 1 2 3 4 5 6 7 8 9 (a, b) < 1, Proposition [13] 
states that the Skorohod distance w.r.t. coincides with dj} M . Hence, K- 
robustness w.r.t. such Skorokhod distances is PSPACE-complete as well. 
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A Proofs from Section [3] 

Proposition 5. (i): For every timed transducer T that has no cycles labeled by 
r, there exists a (nondeterministic) discrete transducer r T d of exponential size in 
|T| such that untimed{ [T] ) and JP^J coincide, (ii): For every discrete transducer 
T d , there exists a timed transducer P that has no cycles labeled by r such that 
untimed(lT ]) and [P d ] coincide. 

Proof, (i): Consider a timed transducer T. Let A be a finite automaton that 
accepts the untimed language of T. Such an automaton exists, it is of exponential 
time and can be constructed out of the region graph for P 'I]. Since P does not 
have cycles labeled by P, all path in A labeled by P are finite. We build a 
transducer P d from A in the following way: P d has the same set of states, the 
same initial state and the same accepting states as A. Next, ( q,a,u>,q' ) is a 
transition of T d iff there is a path in A labeled with aw, where a G £, w £ P 
and that path cannot be extended by a transition labeled with P. It follows from 
construction untimed([P]) and [P d ] coincide. 

(ii): Consider a discrete transducer T d . We construct a timed I/O au¬ 
tomaton ‘T without clocks from < T d . Basically, we substitute each tran¬ 
sition ( q,a,w,q ') with w = tc[l]... w[fc] by a path (q, a, T, 0, q( q 
(qU’ w ’ 0 \a,T,$,qti’ w ’' i: l),...,(qU' w ’ k \a,T,{b,q'). Clearly, untimed([P]) and 
[P d ] coincide. 

Proposition 6. Deciding timed functionality of a timed transducer is PSpace- 
complete. 

Proof. Containment in PSpace: We construct a timed automaton A as P x 
P' x A^, where 


1. T is a transducer from TC{E) to TC(r), 

2. 1' is a transducer from TC(E) to TC{r'), where f = {a' : a € T) is 
disjoint from E, r , 

3. A^ is an automaton that works over TC,{T U r') and accepts languages of 

words w<S>v, with w £ TC(r), v £ TC(r'), such that w does not correspond 
to v, i.e., if every event in v is translated to (a,f), the resulting timed 

word is different than w. 

The timed automaton A accepts timed words over the alphabet EUTur 1 that 
are counterexamples to the functionality property of T. Therefore, functionality 
of T reduces in polynomial time to the emptiness problem for timed automata. 

PSpace-hardness: We reduce the emptiness problem for timed automata 
to deciding functionality of timed transducer. Given a timed automaton A, 
we transform it into a timed transducer T b by substituting each switch s = 
( l,a,g,X,l ') with two switches (l,a, g, X U x 9 ,l 9 ) and ( l 9 ,a,g/\g = 0 
where l 9 is a fresh location and l 9 is a new clock common for all new switches. 
Basically, the transducer T implements the identity function on the timed lan¬ 
guage of A. Now, we construct a transducer T' from TC{E) to TC(E U {_!_}), 
such that for every (a Q ,to) ■ ■ ■ (■ a n ,t n ) € TC(E), (_L,t 0 )... (_M„) € { T'J. Then, 
such a transducer T' is functional iff A accepts the empty language. 

Proposition 7. (1) A deterministic timed transducer in which all switches la¬ 
beled by r are (a) rigid, and (b) all locations are with outgoing switches labeled 
with r are unambiguous, is functional. (2) Every function defined by a determin¬ 
istic safe timed transducer is also defined by a deterministic safe timed transducer 
satisfying (a) and (b) from (1). 

Proof. (1): Consider a two timed words w, v over the alphabet E UP such that 
their projections on events over E are equal. We can prove by induction on the 
number of events in w, v that w, v are equal. Assume that w and v are equal up 
to event i. Therefore, T is in the same state {l, n) upon reading first i events of 
w as v. If w[i + 1] and v[i + 1] are both input events, then it is the same event 
by the assumption on projections. Otherwise, l has an outgoing switch labeled 
by r, hence it is an unambiguous location. It follows that there is exactly one 
switch s outgoing of l whose guard is satisfied by v+t for some t. In consequence, 
the untimed parts of w[i + 1] and v[i + 1] are equal. Moreover, the guard of s 
contains equality, therefore the time that T spends in l is uniquely determined, 
i.e., the timestamps of w and v are equal. It follows that w[i + 1] = v[i + 1]. 

(2): Consider a deterministic functional timed transducer T and its switch 
(l,a,g,X,V). First, we claim that in every accepting run, every time the switch 
(l, a , g , X , V) is taken, the value of at least one clock is equal to a constant from 
g, therefore it can be replaced by at most linearly many (in the size of T) rigid 
switches. 

Towards contradiction; suppose that there is an accepting run 7 r in which the 
switch is taken at a position i at which no clock value equals to any guard from 
g. Then, consider two runs tti , obtained by truncating ir to the first positions 
after i at which a switch labeled with E is taken (or just 7 r if there is no such 



position). Next, n 2 obtained from 7 Ti by increasing the time spend in l by small 
time so that the guard of g are still satisfied. Since T is a safe transducer, both 
runs 7 Ti and n 2 are accepting. Observe that both runs projected on events from £ 
are the same. However, projections of iri and 712 on events from r are different, 
which contradicts functionality of T. 

Second, consider a location l with outgoing switches labeled by r. Observe 
that either l does not have outgoing switches labeled by £ or there is no accepting 
run going through l that takes a switch labeled with r. Indeed, if there is such 
a run and l has an outgoing switch labeled with £ 1 then l is an accepting 
location. Hence, the run truncated to the position of l is accepting and the run 
truncated to the first accepting position past l is also accepting. Projections 
of those two runs on r are different, but projections on £ are equal, which 
contradicts functionality. It follows that we may transform the transducer to an 
equivalent one, whose locations have either all outgoing switches labeled with £ 
or all outgoing switches labeled with r. 

Finally, we can extend guards of each switch by the full information about the 
timed automata region, i.e., a switch s with a guard g is substituted with switches 
si,... ,Sk with guards gi, ■. ■ ,gk that are maximal conjunctions of inequalities 
of clocks that are consistent with g. Next, we remove switches that are not taken 
in any accepting run. 

Consider a location l with all outgoing switches labeled by r. We claim that 
(*) we can enrich each switch guarded by g by formulas Vt.^g'(x + t), where g' 
are guards of other switches, does not change the set of accepted runs. Observe 
that linear arithmetic admits quantifier elimination, hence \/t.~>g'{x + t) can be 
change to a quantifier free formula, which can be written in a disjunctive normal 
form g[ V ... V g' p such conjunctions g[ and c/' are inconsistent for i ^ j. Then, 
we substitute the switch with the guard g by p switches with the same locations, 
label and reset variables, but guards g A g [,..., g A g' p . Such guards are strongly 
inconsistent. 

It remains to prove (*). If an accepting run contains a state (l, v) such that 
v satisfies the guard g of a switch s and for some t > 0 , v + t satisfies the guard 
g' of a switch s' with s ^ s' , then the transducer is not functional. Indeed, we 
consider two cases. Assume that t = 0. Since the transducer is deterministic, s 
and s' are labeled with different letter from T. Similarly to the previous cases, 
we can construct two accepting runs, that are identical till the location l, but 
then one takes s and terminates as soon as it reaches accepting location. The 
other run takes s' ans also terminates as soon as it reaches an accepting location. 
Such two runs violate functionality property. Assume that t > 0. Again we can 
construct two runs that violate functionality as the time spent in l is different 
for both runs. 

Remark 21. The safety assumption in (2) of Proposition Q is essential. Indeed, 
consider a function / defined on the domain {(a, 0 ),(a,a; + 1 ) : x £ I? + } as 
/((a, 0)(a, x + 1)) = ( 6 , x)(b, x + 1). This function can be represented by a deter¬ 
ministic functional transducer that accepts words (a, 0), (&, x), (a, x+ 1 )( 6 , £ + 1 ). 
The switch taken on the event ( 6 , x) cannot be rigid though. Intuitively, in deter- 


ministic timed transducers, the timestamp of every output has to be fixed w.r.t. 
to the input events. But, it can be fixed w.r.t. proceeding input events, or, as in 
the case of /, it can be fixed w.r.t. some of the proceeding output event. Unfor¬ 
tunately, this implies that necessary and sufficient conditions for functionality 
of deterministic transducers are non-local and involve some reachability-base 
conditions, which are usually PSPACE-hard for timed automata. 

B Proofs from Section [6] 

For our automata constructions, we find it helpful to view timed words as starting 
with symbol e and ending with symbol #. Given alphabet E, let E* denote JCU{#} 
and E u ’* denote E U (e, #}. For a string w, we use ie[i] to refer to the i th letter 
of w, with the first letter at index 0 . 

Theorem 15. Let ds, dr be timed-automatic similarity functions such that 
ds,dr are computed by (nondeterministic) WTA. 

(i) There exists a sound procedure for checking K-robustness of a timed- 
synchronized transducer w.r.t. ds,dr that works in polynomial space. 

(ii) If dr is computed by afunctional WTA, checking K-robustness of a timed- 
synchronized transducer w.r.t. ds,dr is PSpace -complete. 

Proof. Given automata As computing ds, As computing dr and the timed 
transducer T we construct a weighted timed automaton A such that A has 
a run of value less than 0 iff T is not /v-robust. We first define variants of 
As, Ar and T to enable these automata to operate over a common alphabet 
A = E © E © r © T. In particular, we define automata As, Ar,Aff, A§ on A 
such that for all w,v,w',v': 

1 . the value of As on w ® v © w' ® v' is equal to the value of Ar on w © v, 

2 . the value of Ad r on w ® v © w' ® v' is equal to the value of Ad r on w 1 © v', 

3. Aff accepts w © v © w' © v' iff Ar accepts w © w', and 

4. Af} accepts w © v © w' © v' iff Ar accepts v © v'. 

Let A%, Af 1 be weighted timed automata obtained by multiplying each 
transition weight of As, Ar by AT, — 1 , respectively. Consider the weighted 
timed automaton A defined as A% x A r f x Aff x Af 1 , the synchronized product 
of automata A^, Alf, A^, Af 1 where the weight of each transition is equal the 
sum of the weights of the corresponding transitions in A% and Af 1 . 

Now, we show that there exists a word on with value below 0 assigned by A 
iff T is not /v-robust w.r.t. ds,dr- 

Consider words w, v, w', v' such that A accepts w © v © w' © v'. The value 
assigned by A to this timed word equals Kds(w, v ) + infTrgAcc —val v , where Acc 
is the set of accepting runs of Ar on w' © v', val„ denotes the value of run tt. 

If the language of A is empty for threshold 0, it means that for all words w,v, 
Kds(w,v) > inf^gAcc val„. By the definition of Ar, inf^gAccPaG = dr{w',v'). 
Hence, it follows that T is A'-robust. 

If Ar is functional, each run in Acc has the same value dr(w',v'). Thus, 
Ca{w®v®w'®v') equals Kds{w,v) — dr{w',v'), and, C^(w®v®w'®v') < 0 


implies T is not A'-robust. Conversely, if T is not Af-robust there are words 
w,v such that dr([©](w)> |T](u)) > Kdz(w,v). This implies A accepts w(Bv(B 
[©](«;) © |T](u) and Ca{w © v © [©](u>) © [©](«)) < 0. Thus, nonemptiness of 
A and AT-robustness of © w.r.t. ds,dr coincide. 

The timed Manhattan distance dxM over timed words is computed by a 
functional WTA. 

Proof. Let A = (X x {1, 2}, L, £ 0 , X, F, 5, C) be a weighted timed automa¬ 
ton where: 

- L = {£ a>b : a,b £ S u ’*} 

— £o = 4,e 

- X = {x} 

— [f a,b i s, g, p , £' a , b ,) £ 6 iff g = true, p = {}, and exactly one of the following 
holds: 

1. s = (c, 1) with c £ X, a' = c and b' = b, or, 

2 . s — (c, 2) with c £ X, a' = a and b' = c 

— F = 4,# 

- For each £ a ^ £ L: C(£ a ,b ) = dif f (a, 6 ) and for each e £ 5: (7(e) = 0 
Observe that M is deterministic and £a( s © t) = dTM{s,t). 

Let A, B be any nonnegative real numbers. The accumulated delay distance 
dAD over timed words w, v such that: 

1 . the duration of any segment in wc, vc is greater than A and 

2. the delay 1 6j — r*| between corresponding events in wc, vc is less than B, 
is computed by a functional WTA. 

Proof. Let M = \B/ A]. In the following, we assume that the symbol duration of 
any timed symbol is greater than or equal to A, the delay between corresponding 
events is less than or equal to B, and that timed words are well-formed, i.e., there 
is no timed symbol after the # symbol (we do not check for any of these). 

Let id = {a|a £ S}. 

Let A = ((B US) x {1,2},L,£ 0 ,X,F,S,C) be a weighted timed automa¬ 
ton where: 

- L = {£( w ,i) : i £ { 1 , 2} , \w\ < M + 1 ,w £ (eU S).S*} U {£( w ,#,i) '■ * 6 
{1,2}, M < M, w £ s*} U {4, U, 4ej} 

— £o = 4 

- X = {x} 

— (£ a , s, g, p, £' a ,) £ S iff g = true, p = {} and one of the following holds: 

1. For i £ {1,2}: a = e, s = (c, i) with c £ X*, and of = (c, i ), or, 

2. For i £ {1,2}: a = (w, i) with w < M, s = (c, i) with c £ S and 
c jtz ui[|u;| — 1 ], and of = ( w.c,i ), or, 

3. For i £ {1,2}: a = (■ w,i ) with w < M, s = ( c,i) with c £ S and 
c = u>[|u>| — 1], and of = (u>,*), or, 

4. For i £ {1,2}: a = ( w,i ) with tu = M, s = (c,i) with c £ S, and 
a' = rej, or, 

5. For i £ {1,2}: a = (w,i) with w < M, s = (#,*), and cc' = ( w.#.i ), or, 



6 . For i £ {1,2}: a = (■ w,i ) with |u>| > 1, w = c.x, s = ( c,j ) with j = 3 — i, 
and a' = (c.a;, i) 

7. For i £ {1,2}: a = ( f.w,i ) with |io| > 1, tc = c.a;, s = (c, j) with 
j = 3 — i, and a 1 = ( x , *) 

8 . For ? £ {1,2}: a = ( f.w,i ), w = x, s = ( c,j ) with c = f, j = 3 — i, and 
a' = (f.w,i) 

9. For i £ {1,2}: a = ( f.w,i ) with |ui| > 1, u> = c.a;, s = (d,j) with c 
and d ^ /, j = 3 — i, and a 1 = rej 

10. For i £ {1,2}: a = ( f.w,i ) with w < M, s = ( c,i ) with c £ S and 
c ^ u>[|u>| — 1 ], and a! = ( f.w.c , *), or, 

11. For « £ {1,2}: a = ( f.w,i ) with to < M, s = (■ c,i ) with c £ S and 
c = u>[|ic| — 1 ], and a' = ( f.w,i ), or, 

12. For i £ {1,2}: a = s = (c, j) with c £ S, j = 3 — i, and a' = e 

13. For i £ {1,2}: a = (#,z), s = (#, j), j = 3 — i, and a! = # 

14. For i £ {1,2}: a = ( d,i ) with d ^ c, s = ( c,j) with c £ 27 # , j = 3 — i, 

and a! = rej 

15. a = rej, s = *, and a' = rej 

- F = e t 

— For each l w £ L: C(l w ) = ]iu| and for each e £ 5: C(e) = 0 

Observe that A is deterministic. We claim that Ca{w ® v) = dAD{w,v). 
The main insight is as follows. dAD(w,v) is the sum of the waiting times 
for every symbol of timed(tuc'), timed(uc) for its matching symbol from 
timed(cc), timed(tuc'), respectively. State i( w ,i) stores the subword w of 
untimed(timed(ruc')) that has arrived already, and is waiting to be matched with 
the corresponding subword of untimed (timed (uc)) • Thus, as long as a symbol 
c of w is not consumed by a matching symbol of untimed (timed (vc )), we need 
to count the duration spent waiting for (c, 2). This equals the sum of the time 
spent in each state £( x ,i)i visited since seeing (c, 1) until seeing (c, 2). The above 
cost function ensures that the value of a run on w © v equals dAD{w,v). Once 
a symbol c of w is consumed by a matching symbol of untimed (timed (i>c')), one 
needs to disregard subsequent c symbols of v without trying to match them with 
symbols of w. This is because we are tracking the distance between timed^c) 
and timed(i’c'), and not w and v. This is taken care of using states of the form 
which remember the symbol / to be disregarded. 

[Skorokhod distance is realized by a piecewise linear function] Let w, v be 
timed words. Let g be the number of segments in v. For every e > 0, there exists 
a piecewise linear function A consisting of g segments such that 11Id — A||i + 
dTM(wc,vc o A) - ds(wc,vc)\ < e. 

Proof. Let v be a timed word and the domain of vc is [a, 6 ]. Consider two 
continuous bijections from [a, b] onto itself, Ai, A 2 . Observe that if Ai, A 2 agree on 
timestamps of the events of v, i.e., for every event (a, t) £ u we have Ai(i) = A 2 (t) 
then tipoAi = vc 0 A 2 . 

Now, let A £ A satisfy |||I — \\\i+dTM(uc,vc 0 ty—ds(uc,vc)\ < e. Consider 
a piecewise linear function X' consisting of |u| segments that agrees with A on 



the timestamps of the events of v. Then, vc 0 A = vc 0 A' and \\\I — A||i + 
<1tm{uc, vc o A') — ds{uc , vc)| < e. 

Let A, -B be any nonnegative real numbers. The Skorokhod distance ds over 
timed words w, v restricted to time distortions A such that: 

1. the duration of any segment in vc, vc ° A is greater than A and 

2. the delay |<5y — r,;| between corresponding events in vc, vc ° A is less than B, 
is computed by a nondeterministic WTA. 

Proof. Consider an alphabet E x {1, 2, 3}. We consider words over such an alpha¬ 
bet to be the disjoint union of three words W\,W 2 and W 3 denoted by uq©w; 2 ©W 3 . 
First, we construct a weighted timed automaton Ai, which on a word uq©iu 2 ffiu >3 
computes the sum of the timed Manhattan distance between words w\ and W 3 
and the lossy accumulated delay distance between ui 2 and W3. The automaton 
A\ is a product of weighted timed automata that compute the timed Manhattan 
distance and the loosy accumulated delay. The automaton A 2 is a projection of 
A\ on E x {1,2}, i.e., it computes inf^ dAD(w 2 ,W 3 ) + dTM{w\,W 3 ). Observe 
that W 3 can be considered as W 2 °A and cZ j 4 d(w 2 , W 3 ) coincides with the Ai-norm 
of I - A. 


C Proofs from Section [7j 

( 1 ) If the input to an ASC is a step function, the output is a step function. 

(2) Given an ASC C, one can compute in polynomial space a discrete letter-to- 
letter transducer ' 2 c such that for every step function /, the output of C on / is 
f v , where v is the output of © onwj. 

Proof. ( 1 ): It readily follows from the discussion above Lemma O 
(2): Let M be the maximal delay in a given ASC. The discrete transducer © 
stores the sequence of excitation variables from the last M+l rounds Zq, ■. ■, zm, 
i.e., the state space is ({0, l} k ) M . At each step, T shifts stored excitation vari¬ 
ables and computes the new value of the most recent excitation variables Zq 
and the output variables o using Boolean function /, g. In these functions, the 
values of secondary variables are obtained from appropriately delayed excitation 
variables. 

Observe that the size of © is exponential in the number of variables. However, 
the set of states has compact representation ({ 0 , l} k ) M , as well as the input and 
output alphabets {0,1}™ and respectively {0,1}”. Moreover, given Boolean vec¬ 
tors q , q' , a, b , of lengths kM , kM , to, n q, a, b, q' , we can compute in polynomial 
time whether 1 has a transition from q to q' upon reading a at which it outputs 
q'. Finally, © is a deterministic letter-to-letter transducer. 

Let C be an ASC with integer delay elements. If C is not AWobust w.r.t. 
timed Manhattan distances ds,dr, then there exists a pair of step functions 
fi,h such that drdCjih), [CJ(/ 2 )) > K • d E (f 1 ,f 2 ). 

Proof. Consider functions f\,f 2 on the domain [0,T] that witness non-A'- 
robustness of a given ASC, i.e., dr([C](/i), |[C](/ 2 )) - K ■ d s {fi,f 2 ) > 


0. Recall that the output of the ASC at time t depends only on in¬ 
puts at times frac(t),frac(t) + 1 Therefore, we can consider sepa¬ 

rately /i ,/2 and their corresponding outputs at times from T x = {x + 
i : i £ J\f, x + i < T}, i.e., reals from [0,T] with the fractional part 
x. The value of dr([C]](/i)> PK/ 2 )) — AT ■ dz(fi,f 2 ) on T x is a finite sum 
St e T x ( diff r([C](/i)(i), Pl(/2)(0) - We observe that 

the value of dr ([[C] (/1 ). [C] (/2 )) — AT • ds (/1 , f 2 ) on [0, T] is the integral over [0,1) 
of EteTj dif M[[Cl(/i)(Xb [C](/ 2 )(i)) - A'diffs(/i(t), f 2 (t))) considered as a 
function of x. It follows that if the given ASC is not A'-robust then there exists 
X e [0,1) such that Et e r x (diffr([C](/i)0), [C](f 2 )(t)) - Kdiff l: (f 1 (t), f 2 (t))) 
is strictly positive. Clearly, step functions gi,g 2 defined on each interval [ i , i + 1) 
to be equal to f±(x + i) and respectively / 2 (x + i) satisfy dr(PKffi); [CJ(g 2 )) — 
K ■ ds(gi,g 2 ) > 0, i.e., they witness a non-Af-robustness of the given ASC. 



